Miggo Logo
Miggo Vulnerability Database
CVE-2025-2945

CVE-2025-2945:
pgAdmin 4 Vulnerable to Remote Code Execution

10

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-2945
GHSA ID
GHSA-g73c-fw68-pwx3
EPSS Score
0.9699%
CWE
CWE-94
Published
4/3/2025
Updated
4/4/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pgadmin4pip< 9.29.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is clearly shown in the patch files where two functions were modified to remove direct eval() calls on user-provided input. Both functions process POST request parameters ('high_availability' and 'query_commited') that were previously passed to eval() without proper validation. The patch replaces these dangerous eval() calls with safer string comparison operations. These are the exact functions that would appear in a runtime profiler when the vulnerability is being exploited, as they directly process the malicious input before the eval() call (in vulnerable versions). The confidence is high because the patch explicitly shows the removal of eval() calls on user-controlled input in both cases.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*mot* *o** *x**ution s**urity vuln*r**ility in p***min * (Qu*ry Tool *n* *lou* **ploym*nt mo*ul*s). T** vuln*r**ility is *sso*i*t** wit* t** * POST *n*points; /sql**itor/qu*ry_tool/*ownlo**, w**r* t** qu*ry_*ommit** p*r*m*t*r *n* /*lou*/**ploy *n*

Reasoning

T** vuln*r**ility is *l**rly s*own in t** p*t** *il*s w**r* two *un*tions w*r* mo*i*i** to r*mov* *ir**t *v*l() **lls on us*r-provi*** input. *ot* *un*tions pro**ss POST r*qu*st p*r*m*t*rs ('*i**_*v*il**ility' *n* 'qu*ry_*ommit**') t**t w*r* pr*vious